MozDef: The Mozilla Defense Platform
Clone or download
pwnbus Merge pull request #749 from mpurzynski/suricatafixup
Rename details.alert to details.suricata_alert to avoid conflicts
Latest commit 144f5b4 Sep 19, 2018
Failed to load latest commit information.
.github Update Jun 15, 2017
alerts Fixup deadman alert to use hostname field Aug 20, 2018
benchmarking Remove leftover javascript comment line Jan 5, 2018
bot Update slack bot message text Apr 13, 2018
config Adding updated logrotate scripts for mozdef archival of old logs. Aug 27, 2018
cron Merge pull request #731 from Phrozyn/sqs_queue_status Aug 28, 2018
docker Merge pull request #741 from mozilla/unexpose_restapi Sep 13, 2018
docs Long overdue update to the overview. Jun 7, 2018
examples remove errant fields May 17, 2018
lib Adding change to elasticsearch_client to check for index existence. Jul 12, 2018
loginput Self describe api type in status route Jun 14, 2018
meteor Adding publishing for sqsstats collection Aug 6, 2018
mq Merge pull request #749 from mpurzynski/suricatafixup Sep 19, 2018
rest Merge pull request #719 from mozilla/dns_blocklist Jul 23, 2018
static Remove heatmap html page Jun 15, 2017
systemdfiles Naming Convention and Logging Changes. Oct 4, 2017
tests Merge pull request #749 from mpurzynski/suricatafixup Sep 19, 2018
.gitignore updated dots to underscores Aug 25, 2017
.travis.yml Convert travis tests to use docker container Sep 7, 2018 Modifying urls to point to mozilla from jeffbryner, slight readabilit… Jun 15, 2017
LICENSE Updated license file to conform with MPL Feb 25, 2014
Makefile Add new command for removing tests containers Feb 9, 2018 [Docs] - Mozilla/MozDef - - changing markdown layout Jan 4, 2018
requirements.txt Add uwsgi to requirements file Jun 21, 2018

Build Status Documentation Status

MozDef: The Mozilla Defense Platform


The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis and others are readily available to help attackers coordinate, share intelligence and finely tune their attacks in real time. Defenders are usually limited to wikis, ticketing systems and manual tracking databases attached to the end of a Security Information Event Management (SIEM) system.

The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.


  • Provide a platform for use by defenders to rapidly discover and respond to security incidents.
  • Automate interfaces to other systems like bunker, banhammer, mig
  • Provide metrics for security events and incidents
  • Facilitate real-time collaboration amongst incident handlers
  • Facilitate repeatable, predictable processes for incident handling
  • Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation


MozDef is in production at Mozilla where we are using it to process over 300 million events per day.